diff options
author | Dave Lawrence <dlawrence@mozilla.com> | 2011-11-28 17:38:31 +0100 |
---|---|---|
committer | Dave Lawrence <dlawrence@mozilla.com> | 2011-11-28 17:38:31 +0100 |
commit | faac5e70ce92133773a2043619f9f23870beb14b (patch) | |
tree | 6f7a03e9e4c14cfa2ee701622f79af9a449ad97e | |
parent | 4e01a91159acec1075c5d156e2e9c956167696c0 (diff) | |
download | bugzilla-faac5e70ce92133773a2043619f9f23870beb14b.tar.gz bugzilla-faac5e70ce92133773a2043619f9f23870beb14b.tar.xz |
Bug 704308 - CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation
-rwxr-xr-x | enter_bug.cgi | 2 | ||||
-rwxr-xr-x | post_bug.cgi | 35 | ||||
-rwxr-xr-x | process_bug.cgi | 3 | ||||
-rw-r--r-- | template/en/default/bug/create/confirm-create-dupe.html.tmpl | 57 |
4 files changed, 8 insertions, 89 deletions
diff --git a/enter_bug.cgi b/enter_bug.cgi index 85e69e535..7a471ab95 100755 --- a/enter_bug.cgi +++ b/enter_bug.cgi @@ -225,7 +225,7 @@ $vars->{'qa_contact_disabled'} = !$has_editbugs; $vars->{'cloned_bug_id'} = $cloned_bug_id; -$vars->{'token'} = issue_session_token('createbug:'); +$vars->{'token'} = issue_session_token('create_bug'); my @enter_bug_fields = grep { $_->enter_bug } Bugzilla->active_custom_fields; diff --git a/post_bug.cgi b/post_bug.cgi index d4b679692..af8c2cd2e 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -68,30 +68,7 @@ if (Bugzilla->params->{disable_bug_updates}) { # Detect if the user already used the same form to submit a bug my $token = trim($cgi->param('token')); -if ($token) { - my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token); - unless ($creator_id - && ($creator_id == $user->id) - && ($old_bug_id =~ "^createbug:")) - { - # The token is invalid. - ThrowUserError('token_does_not_exist'); - } - - $old_bug_id =~ s/^createbug://; - - if ($old_bug_id && (!$cgi->param('ignore_token') - || ($cgi->param('ignore_token') != $old_bug_id))) - { - $vars->{'bugid'} = $old_bug_id; - $vars->{'allow_override'} = defined $cgi->param('ignore_token') ? 0 : 1; - - print $cgi->header(); - $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; - } -} +check_token_data($token, 'create_bug', 'index.cgi'); # do a match on the fields if applicable Bugzilla::User::match_field ({ @@ -175,8 +152,10 @@ foreach my $field (@multi_selects) { my $bug = Bugzilla::Bug->create(\%bug_params); -# Get the bug ID back. +# Get the bug ID back and delete the token used to create this bug. my $id = $bug->bug_id; +delete_token($token); + # We do this directly from the DB because $bug->creation_ts has the seconds # formatted out of it (which should be fixed some day). my $timestamp = $dbh->selectrow_array( @@ -249,12 +228,6 @@ Bugzilla::Hook::process('post_bug_after_creation', { vars => $vars }); ThrowCodeError("bug_error", { bug => $bug }) if $bug->error; -if ($token) { - trick_taint($token); - $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, - ("createbug:$id", $token)); -} - my $recipients = { changer => $user }; my $bug_sent = Bugzilla::BugMail::Send($id, $recipients); $bug_sent->{type} = 'created'; diff --git a/process_bug.cgi b/process_bug.cgi index d44b9dda3..3d8b6bda2 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -391,6 +391,9 @@ foreach my $bug (@bug_objects) { $bug->send_changes($changes, $vars); } +# Delete the session token used for the mass-change. +delete_token($token) unless $cgi->param('id'); + if (Bugzilla->usage_mode == USAGE_MODE_EMAIL) { # Do nothing. } diff --git a/template/en/default/bug/create/confirm-create-dupe.html.tmpl b/template/en/default/bug/create/confirm-create-dupe.html.tmpl deleted file mode 100644 index b0a5cddda..000000000 --- a/template/en/default/bug/create/confirm-create-dupe.html.tmpl +++ /dev/null @@ -1,57 +0,0 @@ -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Olav Vitters. - # - # Contributor(s): Olav Vitters <olav@bkor.dhs.org> - #%] - -[%# INTERFACE: - # bugid: integer. ID of the bug previously used to create a bug. - # allow_override: boolean int. Is 1 if the user may submit the bug again. - #%] - -[% PROCESS "global/field-descs.none.tmpl" %] - -[% PROCESS global/header.html.tmpl - title = "Already filed $terms.bug" -%] - -[% USE Bugzilla %] - -<table cellpadding="20"> - <tr> - <td bgcolor="#ff0000"> - <font size="+2"> - You already used the form to file [% "$terms.bug $bugid" FILTER bug_link(bugid) FILTER none %]. - </font> - </td> - </tr> -</table> - -<p><font size="big">You are highly encouraged to visit [% "$terms.bug $bugid" -FILTER bug_link(bugid) FILTER none %].</font></p> - -[% IF allow_override %] - <p>If you are sure you used the same form to submit a new [% terms.bug %], - click 'File [% terms.bug %] again'.<p> - - <form name="create" id="create" method="post" action="post_bug.cgi" - [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]> - [% PROCESS "global/hidden-fields.html.tmpl" - exclude="^(Bugzilla_login|Bugzilla_password|ignore_token)$" %] - <input type="hidden" name="ignore_token" value="[% bugid FILTER html %]"> - <input type="submit" value="File [% terms.bug %] again" id="file_bug_again"> - </form> -[% END %] - -[% PROCESS global/footer.html.tmpl %] |